vulnerability

WordPress Theme: onair2: CVE-2021-24472: Server-Side Request Forgery (SSRF)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Jun 28, 2021	Dec 8, 2025	Dec 8, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Jun 28, 2021

Added

Dec 8, 2025

Modified

Dec 8, 2025

Description

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Solution

onair2-theme-cve-2021-24472

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24472
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/93b5552e-bb24-4dfb-a779-8451f619ff50?source=api-prod
CVE-2021-24472
https://attackerkb.com/topics/CVE-2021-24472
CWE-918

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today